stack corrupter in nsWindow.cpp

VERIFIED FIXED in M14

Status

()

Core
XUL
P3
critical
VERIFIED FIXED
18 years ago
18 years ago

People

(Reporter: Colin Blake, Assigned: Frank Tang)

Tracking

Trunk
All
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

18 years ago
Frank,

Your Jan 9 checkin to widget/src/gtk/nsWindow.cpp introduced a stack corruptor 
bug (this is rev 1.225). In the new hunk of code that was added:
  - titleStr is declared as 256 bytes 
  - then destLen is set to 256 
  - then titleStr[destLen] to set to zero.

This is setting the 257'th byte to zero, ie. you writing beyond the end of the 
allocated buffer, and thus corrupting whatever happens to be on the stack.

I have no idea why other platforms aren't seeing it, as it was preventing 
Mozilla from starting up on OpenVMS. I guess they just got lucky!

Colin.

Updated

18 years ago
Severity: normal → critical
(Assignee)

Comment 1

18 years ago
you are right, that line of code is a bad left over of a copy and paste. It 
should be remove . I will check in when the tree is open. In the mean time, 
please remove that line in your local build.
Status: NEW → ASSIGNED
Target Milestone: M14
(Assignee)

Comment 2

18 years ago
Here is the patch- 
Index: nsWindow.cpp
===================================================================
RCS file: /m/pub/mozilla/widget/src/gtk/nsWindow.cpp,v
retrieving revision 1.231
diff -c -r1.231 nsWindow.cpp
*** nsWindow.cpp        2000/01/21 21:55:42     1.231
--- nsWindow.cpp        2000/01/26 03:15:49
***************
*** 1893,1905 ****
      titleStr[0] = 0;
      PRInt32 srcLen = aTitle.Length() + 1;
      PRInt32 destLen = sizeof(titleStr);
-     titleStr[destLen] = 0;
      result = converter->Convert(aTitle.GetUnicode(), &srcLen, titleStr,
        &destLen);
      NS_ASSERTION(NS_SUCCEEDED(result), "cannot convert title string");
      if (titleStr[0] && NS_SUCCEEDED(result)) {
        titleStr[destLen] = 0;
- printf("title string = [%s]\n", titleStr);
        gtk_window_set_title(GTK_WINDOW(mShell), titleStr);
        return NS_OK;
      }
--- 1893,1903 ----                                          
i18ngrp, can someone review it and give me a ok ?

Updated

18 years ago
Keywords: patch
(Assignee)

Comment 3

18 years ago
fix and check in with other gtk changes (accent key bugs)
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED

Comment 4

18 years ago
verified
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.